Hunting vintage MS-DOS viruses from Cuba to Pakistan

Security researchers and enthusiasts try to understand and preserve the history of malware.

The Caribbean country of Cuba is a vintage car museum, with Chevys and Plymouths from the 1940s and 1950s, some in mint condition, others rusting away and featuring spare parts from Volgas, Ladas and other Soviet vehicles imported since the 1960s.

While classic cars appear in photographs and are often cited as a top tourist attraction, another side of retro Cuba is hidden from view. The country has some of the oldest computers still in use, and it was likely the place where the last MS-DOS viruses were seen in the wild not very long ago.

An open time capsule

Software developer Victor Manuel Alvarez, the creator of the malware research tool YARA, is a Cuba native. He got his B.Sc. in Computer Science from the University of Havana in 2001, and during the last year of his studies, he worked for Segurmática, the only Cuban antivirus lab.

Alvarez became interested in security just in time to catch the end of the DOS malware era in Cuba and, probably, in the world. “It wasn't uncommon to see MS-DOS running in some places even in the early 2000s,” he says by email. Several current and former Segurmática employees confirm this for CSO, and one says that the lab’s products are still working on Pentium III CPU-based computers running Windows XP. The company did not reply to our requests for comment.

“We are a little country, but our people put their hearts in what they do,” a Cuban researcher tells me in English. “We try to do our best.”

Before 2008, only foreigners and companies were allowed to buy PCs. The first decree Raúl Castro signed after he became Cuba’s leader authorized the unrestricted sale of computers, DVDs and video players. Even so, in a country where a few U.S. dollars could go a long way, only a limited number of locals could afford them.

The state of technology in Cuba has significantly improved in the last decade. When Alvarez was a teenager, it was common to see PCs that were 10, 15 or even 20 years old, he says. “I started to learn programming with an IBM XT clone from 1983, and it was 1993! Those computers were still in use in 1995-96.”

Cuba imported hardware from whoever didn't mind violating the U.S. embargo, Alvarez says. “It was something similar to what happened with cars. We had a variety of computers from different brands and countries, including Russian, East German, Japanese and American ones. I remember using some real Texas Instruments and IBM PCs.”

Alvarez experienced DOS malware more as a user than a researcher, as he liked to share floppy disks with his friends. “Most of them were relatively boring viruses, with no visual effect, but at some point, I remember getting the Cascade virus, which caused the letters in your screen to fall down,” he says. “I was more amused than frustrated.”

Security intrigued him, so he spent a lot of time learning Assembly, doing reverse-engineering and using system debuggers. When he was about to graduate from the University of Havana in 2001, he had to do his thesis project with a company, a common practice in his country. So, he approached Segurmática. “They welcomed me warmly, and I worked in the detection of memory-resident viruses in Windows 9x,” he says.

Alvarez is now living in Spain, and for the last seven years he has been working as a staff software developer for VirusTotal, a platform that lets users scan files for malware. I ask him when the last DOS virus was uploaded. “Today,” he tells me. “We constantly receive all kinds of malware, even MS-DOS malware. This doesn't mean that all the malware we receive is found in the wild. In many cases, it's just people scanning their malware collections.”

Nobody knows for sure, but several security researchers believe that MS-DOS malware has lived the last chapter of its life secluded in Cuba. It was the end of a fascinating journey that began across the globe, in a small computer shop, in Lahore.

Tracking down the first MS-DOS virus

One day in February 2011, researcher Mikko Hyppönen of F-Secure left his freezing Finland to go to Lahore, one of Pakistan's most progressive and cosmopolitan cities and the place where Brain, the first MS-DOS virus in history, was written in 1986.

As a young security researcher, Hyppönen analyzed Brain and was mesmerized by how it worked and where it came from. So that winter, to mark the 25th anniversary of the virus, he decided to board a plane and finally go to Lahore to meet Brain’s creators.

“It felt really surreal,” Hyppönen tells me by phone. “I've got some kind of closure on myself for the whole thing. We captured an important piece of IT history, and I think we also got some kind of an answer to the mystery of the first PC virus.”

Tracking down Brain proved to be remarkably easy. Inside the code, its authors, brothers Amjad and Basit Farooq Alvi, listed a physical address and three phone numbers. “You would think that over the years they would have moved many, many times, but that’s the address where their company still operates today,” Hyppönen tells me.

When he arrived in Lahore, he didn’t know what to expect. The streets were filled with three-wheeled cars, donkey-drawn carts and motorcycles. But the brothers welcomed him, and he had the chance to do an interview. Amjad and Basit Farooq Alvi are now successful businessmen in Pakistan, and their company’s name is Brain Telecommunication.

Hyppönen asked them why they wrote the virus. They said they wanted to explore the holes in MS-DOS, but also to see how far software written by them, in Pakistan, could travel the world by floppy disks. They built medical software at that time, which was often pirated, and with Brain they believed they could track down illegal copies.

Tech-savvy users from different parts of the world noticed the virus in the late 1980s, and some even called the authors using the phone numbers hidden inside the code. “The first call we received was from Miami University,” Amjad Farooq Alvi told Hyppönen, “[from] someone taking care of a local magazine...I was shocked rather, because I had no expectations that…it will go so far.”

Brain infects the boot sector of a floppy disk. The original boot sector is moved to another place on the disk and marked as bad. The Pakistani brothers said the virus was not meant to be destructive. It was just an experiment, they said.

“They didn't really think that they were doing something nasty or illegal,” Hyppönen says. “And it wasn't illegal at that time; they broke no laws. They were basically curious.”

Gambling for your files

The Finnish researcher is a bit nostalgic of those early moments that marked the beginning of the security industry, when computer viruses were written for fun rather than profit, and researchers often had to solve clever puzzles or find hidden messages. It was a time when viruses were written by hobbyists, not by government-sponsored groups. A time when geography and social class mattered less, but intelligence triumphed.

I ask Hyppönen to name his favorite DOS virus. He picks Casino, a piece of malware that lets the user try to win deleted files back on a digital slot machine. “This actually works; it gives you five chances to play the game,” the researcher says.

Casino activates itself on certain days of the year. It copies the file allocation table (FAT) to memory, and then it wipes it from the disk, so practically every file disappears. “The virus gives you the chance to play a game, and by winning the jackpot, you get your files back. If you don't win, you will lose all your files. And if you don't play the game, if you reset the computer, you automatically lose,” Hyppönen says.

He wishes he had done more to help early virus authors who, unlike the Pakistani brothers, turned into cybercriminals. “These were often people who were victims of the circumstances where they were growing up,” Hyppönen says.

He remembers a teenager he talked to in the 1990s, who started writing viruses to break away from his world. “He was in the middle of Finland, in the middle of nowhere, with the cows and horses,” the researcher says.

The teenager uploaded his work to a BBS (bulletin board system), an early type of forum for sharing software, chatting and reading the news. “The boy explained to me that he felt trapped in[side him]self. So, he wrote something which escaped, and when his virus made it out all the way into California, he felt good,” Hyppönen says.

These stories from the beginnings of the security industry should be told, not forgotten, Hyppönen says. Luckily, he thought about preserving those moments early on. He started to collect malware samples in 1991, thinking that they might be valuable one day. Like Brain, many of his viruses are stored on 5¼-inch floppy disks with the write-protect notch sealed with tape.

A few years ago, he donated his samples to the Internet Archive’s Malware Museum, so that young people and technology historians could see what it was like to have a computer infected with viruses in the late 1980s or the 1990s. Such initiatives to save the history of malware gather enthusiasts all across the world.

Malware in the mountains

At the base of the Rocky Mountains, in Boulder, Colorado, old technology gets one more chance to shine. The Media Archaeology Lab (MAL), a museum that hosts some of the most exciting computers ever made, is a space that welcomes anyone who wants to better understand the history of technology and its impact on society. “The past must be lived so that the present can be seen,” is the lab's motto.

Computers such as an Apple I replica, a few Commodore 64s, and even an Osborne 1, the first commercially successful portable machine, are set up on long benches next to typewriters, video game consoles, audio cassette players and cameras. All are in working condition and can be used by retro-tech enthusiasts and artists.

Andrew Brandt, principal security researcher for Sophos, who lives in Boulder, visited the Media Archaeology Lab last year for the first time. “I absolutely went over the moon for it! Because these are the kinds of computers that I used as a kid.”

Brandt started volunteering at the museum one afternoon a week, hoping to get his hands on some archaic software, but also to help the museum build a large collection of malicious samples. “I’m a malware analyst,” he tells me. “The MAL has a huge library of software, but one thing that they didn’t have, and that most people don’t have, is old malware. I wanted to see if I could get old viruses to run on these old devices.”

Brandt began to reconstruct four decades of security history by collecting samples and drawing a timeline that shows how viruses have evolved. He tries to understand what can be learned by analyzing pre-Windows malware and “whether or not we can actually see a genetic line between these old viruses and more modern ones.”

His research is still ongoing, but he plans to reveal his first conclusions during the next Virus Bulletin conference that will take place in London at the beginning of October.

The Sophos researcher wants to go back in time as much as he can. He started with Elk Cloner, one of the first known microcomputer viruses that spread in the wild. It was written in around 1982 by an American 15-year-old, Rich Skrenta, whose sole purpose was to play pranks on people. This was a boot sector virus that spread by infecting the Apple DOS 3.3 operating system. Another early virus is BHP, written in 1986 in Germany, the first piece of malware to attack the Commodore 64, Brandt’s childhood computer.

Let the games begin

The Media Archaeology Lab’s sample collection keeps growing, and quite a few MS-DOS viruses have arrived on the shelves. By looking at them, one can see how virus authors improved their skills to avoid being detected by security researchers. “It was the beginning of this cat-and-mouse game,” Brandt says.

Dutch researcher Righard Zwienenberg of ESET witnessed this game firsthand. He started working in security in 1988, and he still remembers the first MS-DOS virus that intrigued him. It was a variant of Jerusalem, he tells me: Jerusalem.1808.A204.A

“It was the first virus I encountered at the Technical University in Delft,” Zwienenberg says. Jerusalem was first detected in October 1987, and it had some quirky ideas for its time. It infected executables, adding about 1,800 bytes to their size. Most .EXE files would enlarge each time the user ran them. This could slow the computer, but momentarily — that was it.

The virus was set to go off on Friday the 13th, every year, except for 1987, and once the doomed day came, it deleted the programs the user attempted to execute. It displayed a slightly altered message when someone wanted to run an executable file. It read “Bad Command or file name,” with a capital C, instead of the well-known “Bad command or file name.”

A retro-tech collector himself, Zwienenberg likes to educate people on old viruses, and often likes to point out that some of today’s most common threats have been with us for a long time. He has a talk titled “Oops! It happened again,” which he delivers together with Eddy Willems, security evangelist at G Data.

Ransom for a cause

“Do you know when the first ransomware appeared?,” he asks. “It was 1989.” That virus, known as the AIDS Trojan, infected computers through a floppy disk tagged "AIDS Information Introductory Diskette," which was sent by snail mail.

AIDS would replace the AUTOEXEC.BAT file and would count how many times the computer booted. When it reached 90, it hid the directories on drive C: and it encrypted the names of files, rendering the computer unusable. It asked for a $189 ransom to be paid to a post office box in Panama for those who wanted to access to their data, Zwienenberg tells me. “I don’t know how the author came up with that number, 189.”

It was soon discovered that the AIDS Trojan was written by an evolutionary biologist, Dr. Joseph Popp, who was later detained. He defended himself during the trial saying that all the money would have gone to AIDS research, a topic the author was interested in.

Even so, most virus writers from the late 1980s and early 1990s didn’t necessarily want money, Zwienenberg says. They were more interested in learning, and they hoped to get “15 seconds of fame on CNN.”

Unlike today, when malware tries to stay hidden, old virus authors preferred to put on a show and display not only technical, but also artistic skills. “Think about Yankee Doodle, which played the theme at 5 pm every day; Walker, where an old man with a stick walked across the screen; Casino or Cascade,” Zwienenberg says.

Sometimes, we lose sight of the lessons that had been learned a few decades ago, the Dutch researcher says. Sophos’s Brandt agrees. “Companies are so focused on the next thing, that they become less aware of the past,” he says. “This is not helping us in the future. We’re getting lost in the forest for the trees, and we’re not looking at the big picture.”

This is why, like a rusty Plymouth car from Cuba, the MS-DOS malware history is in need of restoration.